A sophisticated zero-day exploit targeting Microsoft SharePoint Server on-premises systems has compromised dozens of organizations worldwide, including at least two U.S. federal agencies, universities, and energy firms. The attack campaign, detected on July 18, 2025, utilizes two critical vulnerabilities designated CVE-2025-53770 and CVE-2025-53771, both allowing remote code execution through specially crafted HTTP requests.
Security researchers have identified the exploitation methodology as “ToolShell,” which permits attackers to bypass authentication by manipulating headers in HTTP requests to the /_layouts/15/ToolPane.aspx endpoint. The attackers upload malicious .aspx files to extract cryptographic secrets, afterward generating valid __VIEWSTATE payloads for unauthenticated remote code execution. This technique grants complete control over SharePoint content, configurations, and connected services including OneDrive, Teams, and Outlook.
ToolShell exploitation enables complete SharePoint compromise through authentication bypass and cryptographic secret extraction, granting attackers full network control.
Eye Security first detected large-scale exploitation on July 18, 2025, with multiple attack waves continuing through July 19. Microsoft acknowledges “dozens” of compromised systems globally, while CISA warns the impact may be widespread across organizations utilizing on-premises SharePoint deployments. The vulnerability affects only SharePoint Server installations, leaving SharePoint Online and Microsoft 365 services unimpacted. Once attackers gain initial access, they can perform lateral movement across the entire Windows Domain infrastructure.
The exploit chain allows full lateral movement across Windows domains, enabling attackers to access all SharePoint content, system files, and connected services. Security experts note the severity stems from the combination of authentication bypass and the ability to extract cryptographic secrets, creating persistent network access for threat actors. The malicious files commonly appear at specific paths including C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16EMPLATE\LAYOUTS\spinstall0.aspx.
Microsoft released emergency patches for SharePoint Server 2019 and Subscription Edition on July 20, 2025, following a partial fix issued July 8. A patch for SharePoint Server 2016 remains pending. CISA has advised affected organizations to immediately disconnect vulnerable servers from internet access until patching completes.
U.S., Canadian, and Australian authorities are investigating ongoing breaches linked to these vulnerabilities. Microsoft has updated remediation guidance, recommending Antimalware Scan Interface implementation for additional protection during recovery operations.
Trend Micro reports that proactive TippingPoint customers received protection since May 2025, prior to widespread exploitation activities.
